infosec

Link

Are you sure, Target?

“Target’s first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause,” Target data breach affects 40 million accounts, payment info compromised – The Washington Post

If Target’s first priority is preserving the trust of their guests and customers, they have a funny way of showing that. There is still no notice on their website’s landing page about this breach but you best believe their tracking cookies for analytics and advertising are still present. Collect as much data as you can, guys! Lose all of it!

Link

Changing an IP Address to Access a Public Website is Against the Law

Changing your IP address or using proxy servers to access public websites you’ve been forbidden to visit is a violation of the Computer Fraud and Abuse Act (CFAA), a judge ruled Friday.

tl;dr:

A company called 3taps was scraping content from Craigslist, and putting it elsewhere. Craigslist sent a Cease and Desist, and subsequently turned off access from 3taps network(s) and system(s).

3taps circumvented the block by doing what every teenager in America uses to get to Facebook using their school computer lab: they went behind 9,000 proxies and continued scraping the content. Craigslist, sued 3taps and used the CFAA, because they mad.

[yellow_box]Special shout-out to our Congress for writing this easily misunderstood law, the six amendments to it, and of course to Craigslist making this argument in court in the first place.

The company was already guilty of violating the Terms of Use for Craigslist, but their counsel didn’t use that argument. I am curious if even Craigslist is of the opinion that their Terms of Use are not binding?[/yellow_box]

 

Link

Using Google’s TOTP Multi-Factor Auth With PAM on Linux

Since this provides a nice second security layer to our logins, why don’t take advantage of it also in our Linux box?

For a variety of reasons, I find Duo Security’s offering a much better solution for multi-factor authentication. Having said that, if you object to the ease of use, robust user management, and a slew of other things that Duo does and Google Authenticator doesn’t, I’ll pretend to understand.

Also, seriously, if you use iOS you should be aware that the Google Authenticator application is hideous (though functional). I’d recommend using Authy’s app and service for TOTP tokenized logins, and also point out that the Duo Security app can have TOTP tokens too. The only reason I don’t use that feature is because I blow up my phone enough that having my Google Apps, Cloudflare, App.net, Dropbox and other tokens in an account with Authy is much more convenient.

Did I mention that using Duo Security with WordPress, Remote Desktop, RADIUS, most VPN servers and SSH means that my iPhone floats me a push notification when I login to any of my systems I’ve provisioned for it and it also tells me the source address of the connection? That includes ipv6 addresses, you big nerd.

Link

The growing global cyber-war and the marketplaces that fuel it

I really don’t like the term “cyber-war”, but what else are you going to call it when nations are weaponizing exploits to infiltrate other nations?

When unleashed into the wild, exploits can wreak havoc. A zero-day Java exploit was used by unknown hackers allegedly linked to China to penetrate Apple and Facebook’s internal systems. Zero-day exploits obtained from Gamma Group, a British “technical surveillance and monitoring group,” were allegedly used to sneak powerful surveillance software onto the computers of Egyptian, Bahraini, Ethiopian, and Malaysian dissidents.